Embed Size (px)
Citation preview
L2TP over IPsec
This chapter describes how to configure L2TP over IPsec/IKEv1 on the ASA.
• About L2TP over IPsec/IKEv1 VPN, on page 1• Licensing Requirements for L2TP over IPsec, on page 3• Prerequisites for Configuring L2TP over IPsec, on page 3• Guidelines and Limitations, on page 3• Configuring L2TP over Eclipse with CLI, on page 5• Feature History for L2TP over IPsec, on page 10
About L2TP over IPsec/IKEv1 VPNLayer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the publicIP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port1701) to tunnel the data.
L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server(LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as arouter, while the LAC can be a dial-up Network Access Server (NAS) or an endpoint device with a bundledL2TP client such as Microsoft Windows, Apple iPhone, or Android.
The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote userscan access a VPN over a public IP network without a gateway or a dedicated line, which enables remote accessfrom virtually anyplace with POTS. An additional benefit is that no additional client software, such as CiscoVPN client software, is required.
L2TP over IPsec supports only IKEv1. IKEv2 is not supported.Note
The configuration of L2TP with IPsec/IKEv1 supports certificates using the preshared keys or RSA signaturemethods, and the use of dynamic (as opposed to static) cryptomaps. This summary of tasks assumes completionof IKEv1, as well as pre-shared keys or RSA signature configuration. See Chapter 41, “Digital Certificates,”in the general operations configuration guide for the steps to configure preshared keys, RSA, and dynamiccrypto maps.
L2TP over IPsec1
L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in suchoperating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported,native L2TP itself is not supported on ASA. The minimum IPsec security association lifetime supported bythe Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windowsclient ignores it and replaces it with a 300 second lifetime.
Note
IPsec Transport and Tunnel ModesBy default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it becomesthe payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy.That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwardsthem along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on tothe destination system. The major advantage of tunnel mode is that the end systems do not need to be modifiedto receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, anattacker can only determine the tunnel endpoints and not the true source and destination of the tunneledpackets, even if they are the same as the tunnel endpoints.
However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted, andthe original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packetand allowing devices on the public network to see the final source and destination of the packet. The followingfigure illustrates the differences between IPsec tunnel and transport modes.
Figure 1: IPsec in Tunnel and Transport Modes
In order forWindows L2TP and IPsec clients to connect to the ASA, you must configure IPsec transport modefor a transform set using the crypto ipsec transform-set trans_name mode transport command. Thiscommand is used in the configuration procedure.
ASA cannot push more than 28 ACE in split-tunnel access-list.Note
L2TP over IPsec2
L2TP over IPsecIPsec Transport and Tunnel Modes
With this transport capability, you can enable special processing (for example, QoS) on the intermediatenetwork based on the information in the IP header. However, the Layer 4 header is encrypted, which limitsthe examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport modeallows an attacker to perform some traffic analysis.
Licensing Requirements for L2TP over IPsec
This feature is not available on No Payload Encryption models.Note
IPsec remote access VPN using IKEv2 requires an AnyConnect Plus or Apex license, available separately.IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2 uses the Other VPNlicense that comes with the base license. See Cisco ASA Series Feature Licenses for maximum values permodel.
Prerequisites for Configuring L2TP over IPsecConfiguring L2TP over IPsec has the following prerequisites:
• Group Policy-You can configure the default group policy (DfltGrpPolicy) or a user-defined group policyfor L2TP/IPsec connections. In either case, the group policy must be configured to use the L2TP/IPsectunneling protocol. If the L2TP/IPsec tunning protocol is not configured for your user-defined grouppolicy, configure the DfltGrpPolicy for the L2TP/IPsec tunning protocol and allow your user-definedgroup policy to inherit this attribute.
• Connection Profile-You need to configure the default connection proflie (tunnel group), DefaultRAGroup,if you are performing “pre-shared key” authentication. If you are performing certificate-basedauthentication, you can use a user-defined connection profile that can be chosen based on certificateidentifiers.
• IP connectivity needs to be established between the peers. To test connectivity, try to ping the IP addressof the ASA from your endpoint and try to ping the IP address of your endpoint from the ASA.
• Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.
• If a Windows 7 endpoint device authenticates using a certificate that specifies a SHA signature type, thesignature type must match that of the ASA, either SHA1 or SHA2.
Guidelines and LimitationsThis section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single context mode.
L2TP over IPsec3
L2TP over IPsecLicensing Requirements for L2TP over IPsec
Firewall Mode Guidelines
Supported only in routed firewall mode. Transparent mode is not supported.
Failover Guidelines
L2TP over IPsec sessions are not supported by stateful failover.
IPv6 Guidelines
There is no native IPv6 tunnel setup support for L2TP over IPsec.
Software Limitation on All Platforms
We currently only support 4096 L2TP over IPsec tunnels.
Authentication Guidelines
The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the localdatabase. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongsto a tunnel group configured with the authentication eap-proxy or authentication chap commands, and theASA is configured to use the local database, that user will not be able to connect.
Supported PPP Authentication Types
L2TP over IPsec connections on the ASA support only the PPP authentication types as shown:
Table 1: AAA Server Support and PPP Authentication Types
Supported PPP Authentication TypesAAA Server Type
PAP, MSCHAPv1, MSCHAPv2LOCAL
PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-ProxyRADIUS
PAP, CHAP, MSCHAPv1TACACS+
PAPLDAP
PAPNT
PAPKerberos
SDISDI
Table 2: PPP Authentication Type Characteristics
CharacteristicsAuthentication TypeKeyword
In response to the server challenge,the client returns the encrypted[challenge plus password] with acleartext username. This protocolis more secure than the PAP, but itdoes not encrypt data.
CHAPchap
L2TP over IPsec4
L2TP over IPsecGuidelines and Limitations
CharacteristicsAuthentication TypeKeyword
Enables EAP which permits thesecurity appliance to proxy the PPPauthentication process to anexternal RADIUS authenticationserver.
EAPeap-proxy
Similar to CHAP but more securein that the server stores andcompares only encrypted passwordsrather than cleartext passwords asin CHAP. This protocol alsogenerates a key for data encryptionby MPPE.
Microsoft CHAP, Version 1
Microsoft CHAP, Version, 2ms-chap-v1ms-chap-v2
Passes cleartext username andpassword during authentication andis not secure.
PAPpap
Configuring L2TP over Eclipse with CLIYou must configure IKEv1 (ISAKMP) policy settings to allow native VPN clients to make a VPN connectionto the ASA using the L2TP over Eclipse protocol.
• IKEv1 phase 1—3DES encryption with SHA1 hash method.
• Eclipse phase 2—3DES or AES encryption with MD5 or SHA hash method.
• PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
• Pre-shared key (only for iPhone).
Procedure
Step 1 Create a transform set with a specific ESP encryption type and authentication type.
crypto ipsec ike_version transform-set transform_name ESP_Encryption_Type ESP_Authentication_Type
Example:crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac
Step 2 Instruct Eclipse to use transport mode rather than tunnel mode.
crypto ipsec ike_version transform-set trans_name mode transport
Example:crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
Step 3 Specify L2TP/Eclipse as the vpn tunneling protocol.
vpn-tunnel-protocol tunneling_protocol
L2TP over IPsec5
L2TP over IPsecConfiguring L2TP over Eclipse with CLI
Example:hostname(config)# group-policy DfltGrpPolicy attributeshostname(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec
Step 4 (Optional) Instruct the adaptive security appliance to send DNS server IP addresses to the client for the grouppolicy.
dns value [none | IP_Primary | IP_Secondary]
Example:hostname(config)# group-policy DfltGrpPolicy attributeshostname(config-group-policy)# dns value 209.165.201.1 209.165.201.2
Step 5 (Optional) Instruct the adaptive security appliance to sendWINS server IP addresses to the client for the grouppolicy.
wins-server value [none | IP_primary [IP_secondary]]
Example:hostname(config)# group-policy DfltGrpPolicy attributeshostname (config-group-policy)# wins-server value 209.165.201.3 209.165.201.4
Step 6 (Optional) Create an IP address pool.
ip local pool pool_name starting_address-ending_address mask subnet_mask
Example:hostname(config)# ip local pool sales_addresses 10.4.5.10-10.4.5.20 mask 255.255.255.0
Step 7 (Optional) Associate the pool of IP addresses with the connection profile (tunnel group).
address-pool pool_name
Example:hostname(config)# tunnel-group DefaultRAGroup general-attributeshostname(config-tunnel-general)# address-pool sales_addresses
Step 8 Link the name of a group policy to the connection profile (tunnel group).
default-group-policy name
Example:hostname(config)# tunnel-group DefaultRAGroup general-attributeshostname(config-tunnel-general)# default-group-policy DfltGrpPolicy
Step 9 Specify an authentication server to verify users attempting L2TP over the IPsec connections. If you want theauthentication to fallback to local authentication when the server is not available, add LOCAL to the end ofthe command.
authentication-server-group server_group [local]
Example:hostname(config)# tunnel-group DefaultRAGroup general-attributeshostname(config-tunnel-general)# authentication-server-group sales_server LOCAL
Step 10 Specify a method to authenticate users attempting L2TP over Eclipse connections, for the connection profile(tunnel group). If you are not using the ASA to perform local authentication, and you want to fallback to localauthentication, add LOCAL to the end of the command.
L2TP over IPsec6
L2TP over IPsecConfiguring L2TP over Eclipse with CLI
authentication auth_type
Example:hostname(config)# tunnel-group DefaultRAGroup ppp-attributeshostname(config-ppp)# authentication ms-chap-v1
Step 11 Set the pre-shared key for your connection profile (tunnel group).
tunnel-group tunnel group name ipsec-attributes
Example:hostname(config)# tunnel-group DefaultRAGroup ipsec-attributeshostname(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Step 12 (Optional) Generate a AAA accounting start and stop record for an L2TP session for the connection profile(tunnel group).
accounting-server-group aaa_server_group
Example:hostname(config)# tunnel-group DefaultRAGroup general-attributeshostname(config-tunnel-general)# accounting-server-group sales_aaa_server
Step 13 Configure the interval (in seconds) between hello messages. The range is 10 through 300 seconds. The defaultinterval is 60 seconds.
l2tp tunnel hello seconds
Example:hostname(config)# l2tp tunnel hello 100
Step 14 (Optional) Enable NAT traversal so that ESP packets can pass through one or more NAT devices.
If you expect multiple L2TP clients behind a NAT device to attempt L2TP over Eclipse connections to theadaptive security appliance, you must enable NAT traversal.
crypto isakmp nat-traversal seconds
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the crypto isakmpenable command) in global configuration mode, and then use the crypto isakmp nat-traversal command.
Example:hostname(config)# crypto ikev1 enablehostname(config)# crypto isakmp nat-traversal 1500
Step 15 (Optional) Configure tunnel group switching. The goal of tunnel group switching is to give users a betterchance at establishing a VPN connection when they authenticate using a proxy authentication server. Tunnelgroup is synonymous with connection profile.
strip-group
strip-realm
Example:hostname(config)# tunnel-group DefaultRAGroup general-attributeshostname(config-tunnel-general)# strip-grouphostname(config-tunnel-general)# strip-realm
Step 16 (Optional) Create a user with the username jdoe, the password j!doe1. The mschap option specifies thatthe password is converted to Unicode and hashed using MD4 after you enter it.
L2TP over IPsec7
L2TP over IPsecConfiguring L2TP over Eclipse with CLI
This step is needed only if you are using a local user database.
username name password password mschap
Example:asa2(config)# username jdoe password j!doe1 mschap
Step 17 Create the IKE Policy for Phase 1 and assign it a number.
crypto ikev1 policy priority
group Diffie-Hellman Group
There are several different parameters of the IKE policy that you can configure. You can also specify aDiffie-Hellman Group for the policy. The isakamp policy is used by the ASA to complete the IKE negotiation.
Example:hostname(config)# crypto ikev1 policy 5hostname(config-ikev1-policy)#
Creating IKE Policies to Respond to Windows 7 ProposalsWindows 7 L2TP/IPsec clients send several IKE policy proposals to establish a VPN connection with theASA. Define one of the following IKE policies to facilitate connections fromWindows 7 VPN native clients.
Follow the procedure Configuring L2TP over IPsec for ASA. Add the additional steps in this task to configurethe IKE policy for Windows 7 native VPN clients.
Procedure
Step 1 Display the attributes and the number of any existing IKE policies.
Example:hostname(config)# show run crypto ikev1
Step 2 Configure an IKE policy. The number argument specifies the number of the IKE policy you are configuring.This number was listed in the output of the show run crypto ikev1 command.
crypto ikev1 policy number
Step 3 Set the authentication method the ASA uses to establish the identity of each IPsec peer to use preshared keys.
Example:hostname(config-ikev1-policy)# authentication pre-share
Step 4 Choose a symmetric encryption method that protects data transmitted between two IPsec peers. For Windows7, choose 3des or aes for 128-bit AES, or aes-256.
encryption {3des|aes|aes-256}
Step 5 Choose the hash algorithm that ensures data integrity. For Windows 7, specify sha for the SHA-1 algorithm.
L2TP over IPsec8
L2TP over IPsecCreating IKE Policies to Respond to Windows 7 Proposals
Example:hostname(config-ikev1-policy)# hash sha
Step 6 Choose the Diffie-Hellman group identifier. You can specify 5 for aes, aes-256, or 3des encryption types.You can specify 2 only for 3des encryption types .
Example:hostname(config-ikev1-policy)# group 5
Step 7 Specify the SA lifetime in seconds. For Windows 7, specify 86400 seconds to represent 24 hours.
Example:hostname(config-ikev1-policy)# lifetime 86400
Configuration Example for L2TP over IPsecThe following example shows configuration file commands that ensure ASA compatibility with a native VPNclient on any operating system:ip local pool sales_addresses 209.165.202.129-209.165.202.158group-policy sales_policy internalgroup-policy sales_policy attributeswins-server value 209.165.201.3 209.165.201.4dns-server value 209.165.201.1 209.165.201.2vpn-tunnel-protocol l2tp-ipsectunnel-group DefaultRAGroup general-attributesdefault-group-policy sales_policyaddress-pool sales_addressestunnel-group DefaultRAGroup ipsec-attributespre-shared-key *tunnel-group DefaultRAGroup ppp-attributesno authentication papauthentication chapauthentication ms-chap-v1authentication ms-chap-v2crypto ipsec ikev1 transform-set trans esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set trans mode transportcrypto dynamic-map dyno 10 set ikev1 transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto ikev1 enable outsidecrypto ikev1 policy 10authentication pre-shareencryption 3des
hash shagroup 2
lifetime 86400
L2TP over IPsec9
L2TP over IPsecConfiguration Example for L2TP over IPsec
Feature History for L2TP over IPsecFeature InformationReleasesFeature Name
L2TP over IPsec provides thecapability to deploy and administeran L2TP VPN solution alongsidethe IPsec VPN and firewall servicesin a single platform.
The primary benefit of configuringL2TP over IPsec in a remote accessscenario is that remote users canaccess a VPN over a public IPnetwork without a gateway or adedicated line, which enablesremote access from virtuallyanyplace with POTS. An additionalbenefit is that the only clientrequirement for VPN access is theuse of Windows with MicrosoftDial-Up Networking (DUN). Noadditional client software, such asCisco VPN client software, isrequired.
The following commands wereintroduced or modified:authentication eap-proxy,authentication ms-chap-v1,authentication ms-chap-v2,authentication pap, l2tp tunnelhello, vpn-tunnel-protocoll2tp-ipsec.
7.2(1)L2TP over IPsec
L2TP over IPsec10
L2TP over IPsecFeature History for L2TP over IPsec
